Add auth controller for SVR3 to /v3/backup.

2026-04-21 17:29:38 +01:00 · 2023-11-30 16:50:21 -07:00
parent c18aca9215
commit 22e6584402
8 changed files with 264 additions and 3 deletions
--- a/service/src/main/java/org/whispersystems/textsecuregcm/controllers/SecureValueRecovery2Controller.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/controllers/SecureValueRecovery2Controller.java
@@ -5,6 +5,7 @@

 package org.whispersystems.textsecuregcm.controllers;

+import com.google.common.annotations.VisibleForTesting;
 import io.dropwizard.auth.Auth;
 import io.swagger.v3.oas.annotations.Operation;
 import io.swagger.v3.oas.annotations.responses.ApiResponse;
@@ -22,7 +23,6 @@ import javax.ws.rs.POST;
 import javax.ws.rs.Path;
 import javax.ws.rs.Produces;
 import javax.ws.rs.core.MediaType;
-import org.jetbrains.annotations.TestOnly;
 import org.whispersystems.textsecuregcm.auth.AuthenticatedAccount;
 import org.whispersystems.textsecuregcm.auth.ExternalServiceCredentials;
 import org.whispersystems.textsecuregcm.auth.ExternalServiceCredentialsGenerator;
@@ -45,7 +45,7 @@ public class SecureValueRecovery2Controller {
    return credentialsGenerator(cfg, Clock.systemUTC());
  }

-  @TestOnly
+  @VisibleForTesting
  public static ExternalServiceCredentialsGenerator credentialsGenerator(final SecureValueRecovery2Configuration cfg, final Clock clock) {
    return ExternalServiceCredentialsGenerator
        .builder(cfg.userAuthenticationTokenSharedSecret())
--- a/service/src/main/java/org/whispersystems/textsecuregcm/controllers/SecureValueRecovery3Controller.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/controllers/SecureValueRecovery3Controller.java
@@ -0,0 +1,129 @@
+/*
+ * Copyright 2023 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.controllers;
+
+import com.google.common.annotations.VisibleForTesting;
+import io.dropwizard.auth.Auth;
+import io.swagger.v3.oas.annotations.Operation;
+import io.swagger.v3.oas.annotations.responses.ApiResponse;
+import io.swagger.v3.oas.annotations.tags.Tag;
+import org.whispersystems.textsecuregcm.auth.AuthenticatedAccount;
+import org.whispersystems.textsecuregcm.auth.ExternalServiceCredentials;
+import org.whispersystems.textsecuregcm.auth.ExternalServiceCredentialsGenerator;
+import org.whispersystems.textsecuregcm.auth.ExternalServiceCredentialsSelector;
+import org.whispersystems.textsecuregcm.configuration.SecureValueRecovery3Configuration;
+import org.whispersystems.textsecuregcm.entities.AuthCheckRequest;
+import org.whispersystems.textsecuregcm.entities.AuthCheckResponse;
+import org.whispersystems.textsecuregcm.limits.RateLimitedByIp;
+import org.whispersystems.textsecuregcm.limits.RateLimiters;
+import org.whispersystems.textsecuregcm.storage.Account;
+import org.whispersystems.textsecuregcm.storage.AccountsManager;
+
+import java.time.Clock;
+import java.util.List;
+import java.util.Optional;
+import java.util.concurrent.TimeUnit;
+import java.util.stream.Collectors;
+import javax.validation.Valid;
+import javax.validation.constraints.NotNull;
+import javax.ws.rs.Consumes;
+import javax.ws.rs.GET;
+import javax.ws.rs.POST;
+import javax.ws.rs.Path;
+import javax.ws.rs.Produces;
+import javax.ws.rs.core.MediaType;
+
+@Path("/v3/backup")
+@Tag(name = "Secure Value Recovery")
+public class SecureValueRecovery3Controller {
+
+  private static final long MAX_AGE_SECONDS = TimeUnit.DAYS.toSeconds(30);
+
+  public static ExternalServiceCredentialsGenerator credentialsGenerator(final SecureValueRecovery3Configuration cfg) {
+    return credentialsGenerator(cfg, Clock.systemUTC());
+  }
+
+  @VisibleForTesting
+  public static ExternalServiceCredentialsGenerator credentialsGenerator(final SecureValueRecovery3Configuration cfg, final Clock clock) {
+    return ExternalServiceCredentialsGenerator
+        .builder(cfg.userAuthenticationTokenSharedSecret())
+        .withUserDerivationKey(cfg.userIdTokenSharedSecret().value())
+        .prependUsername(false)
+        .withDerivedUsernameTruncateLength(16)
+        .withClock(clock)
+        .build();
+  }
+
+  private final ExternalServiceCredentialsGenerator backupServiceCredentialGenerator;
+  private final AccountsManager accountsManager;
+
+  public SecureValueRecovery3Controller(final ExternalServiceCredentialsGenerator backupServiceCredentialGenerator,
+                                        final AccountsManager accountsManager) {
+    this.backupServiceCredentialGenerator = backupServiceCredentialGenerator;
+    this.accountsManager = accountsManager;
+  }
+
+  @GET
+  @Path("/auth")
+  @Produces(MediaType.APPLICATION_JSON)
+  @Operation(
+      summary = "Generate credentials for SVR3",
+      description = """
+          Generate SVR3 service credentials. Generated credentials have an expiration time of 30 days 
+          (however, the TTL is fully controlled by the server side and may change even for already generated credentials). 
+          """
+  )
+  @ApiResponse(responseCode = "200", description = "`JSON` with generated credentials.", useReturnTypeSchema = true)
+  @ApiResponse(responseCode = "401", description = "Account authentication check failed.")
+  public ExternalServiceCredentials getAuth(@Auth final AuthenticatedAccount auth) {
+    return backupServiceCredentialGenerator.generateFor(auth.getAccount().getUuid().toString());
+  }
+
+
+  @POST
+  @Path("/auth/check")
+  @Consumes(MediaType.APPLICATION_JSON)
+  @Produces(MediaType.APPLICATION_JSON)
+  @RateLimitedByIp(RateLimiters.For.BACKUP_AUTH_CHECK)
+  @Operation(
+      summary = "Check SVR3 credentials",
+      description = """
+          Over time, clients may wind up with multiple sets of SVR3 authentication credentials in cloud storage. 
+          To determine which set is most current and should be used to communicate with SVR3 to retrieve a master key
+          (from which a registration recovery password can be derived), clients should call this endpoint 
+          with a list of stored credentials. The response will identify which (if any) set of credentials are appropriate for communicating with SVR3.
+          """
+  )
+  @ApiResponse(responseCode = "200", description = "`JSON` with the check results.", useReturnTypeSchema = true)
+  @ApiResponse(responseCode = "422", description = "Provided list of SVR3 credentials could not be parsed")
+  @ApiResponse(responseCode = "400", description = "`POST` request body is not a valid `JSON`")
+  public AuthCheckResponse authCheck(@NotNull @Valid final AuthCheckRequest request) {
+    final List<ExternalServiceCredentialsSelector.CredentialInfo> credentials = ExternalServiceCredentialsSelector.check(
+        request.passwords(),
+        backupServiceCredentialGenerator,
+        MAX_AGE_SECONDS);
+
+    // the username associated with the provided number
+    final Optional<String> matchingUsername = accountsManager
+        .getByE164(request.number())
+        .map(Account::getUuid)
+        .map(backupServiceCredentialGenerator::generateForUuid)
+        .map(ExternalServiceCredentials::username);
+
+    return new AuthCheckResponse(credentials.stream().collect(Collectors.toMap(
+        ExternalServiceCredentialsSelector.CredentialInfo::token,
+        info -> {
+          if (!info.valid()) {
+            return AuthCheckResponse.Result.INVALID;
+          }
+          final String username = info.credentials().username();
+          // does this credential match the account id for the e164 provided in the request?
+          boolean match = matchingUsername.filter(username::equals).isPresent();
+          return match ? AuthCheckResponse.Result.MATCH : AuthCheckResponse.Result.NO_MATCH;
+        }
+    )));
+  }
+}